Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for NGINX ModSecurity WAF

NGINX ModSecurity WAF
NGINX ModSecurity WAF icon

Coralogix Extension For NGINX ModSecurity WAF Includes:

Alerts - 6

Stay on top of NGINX ModSecurity WAF key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

Possible Information Disclosure

This alert detects when a successful HTTP GET request (2XX response) targets a URL that ends with a set of specific file extension (such as txt files) that can contain information that shouldn't be disclosed directly to the internet. The following file extensions are detected by this alert: Configuration Files: .env, .config, .ini, .conf Backup Files: .bak, .old, .zip Log Files: .log, .txt, .log.txt Source Code Files: .java, .py, .rb Database Dump Files: .sql, .dump Backup Scripts: .sh, .bat, .ps1 Private Keys and Certificates: .pem, .key, .p12, .crt Please Note: This alert may require tuning based on the web application usage (ie if it serves any of the mentioned file extensions). File extensions can be added/removed and match condition can be tuned to lower/higher rate of occurrence to match the operation of the web application. Impact Information disclosure attacks can have severe consequences for individuals and organizations, which can result in a data and privacy breach. Mitigation Investigate URLs and confirm whether they are legitimate and part of the web application normal operation and purpose. If not, consider blocking the client IP on the WAF MITRE Tactic: TA0009 MITRE Technique: T1048

Brute Force on Login URLs

This alert triggers when a possible brute force attack is performed against a login page.nBrute force attacks on login pages involve systematically attempting multiple combinations of usernames and passwords until a successful login is achieved. This technique relies on the assumption that weak or commonly used credentials can be guessed through exhaustive trial and error. Impact The impact varies depending on the success of the attack and the targeted system's sensitivity, such as: Account compromise, Privilege escalation, Data breach, Resource exhaustion, Weakened security posture. Mitigation If the the aggregated logs show actual login URLs that match your web applications login, check if the requests intercepted by the WAF. If not, consider blocking the offending IP on the WAF/Firewall. MITRE Tactic: TA0006 MITRE Technique: T1110

Remote Code Execution Attack

This alert detects when a Remote Code Execution (RCE) attack may take place, based on triggered NGINX ModSecurity WAF rules that contain a certain set of keywords that represent RCE attacks, over a determined period of time in the context of a single IP address. Impact May be an indication of an RCE attack, where assets may be compromised by malicious actors. Mitigation Validate the requests intercepted and blocked by the WAF. If they seem suspicious, investigate further by examining the source IPs, request URLs and origin server response codes. MITRE Tactic: TA0001 MITRE Technique: T1203

SQLi Attack

This alert detects when a SQL Injection (SQLi) attack may take place, based on triggered NGINX ModSecurity WAF rules that contain a certain set of keywords that represent SQLi attacks, over a determined period of time in the context of a single IP address. Impact May be an indication of an SQLi attack, that can have serious consequences for organizations, including: Data Breach, Application Disruption and Unauthorized Access to organizational assets. Mitigation Validate the requests intercepted and blocked by the WAF. If they seem suspicious, investigate further by examining the source IPs, request URLs and origin server response codes. MITRE Tactic: TA0001 MITRE Technique: T1059

XSS Attack

This alert detects when a Cross Site Scripting (XSS) attack may take place, based on triggered NGINX ModSecurity WAF rules that contain a certain set of keywords that represent XSS attacks, over a determined period of time in the context of a single IP address. Impact May be an indication of an XSS attack, that can have serious consequences for organizations, such as Data Theft and Privacy Breach and Reputation Damage. Mitigation Validate the requests intercepted and blocked by the WAF. If they seem suspicious, investigate further by examining the source IPs, request URLs and origin server response codes. MITRE Tactic: TA0001 MITRE Technique: T1190

NGINX - No logs from NGINX

This rule detects if there are no logs in the last 4 hours for NGINX in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

Integration

Learn more about Coralogix's out-of-the-box integration with NGINX ModSecurity WAF in our documentation.

Read More
Schedule Demo